Notify configuration changes
Summary​
The system must notify the users whenever their authentication details or other security settings are changed.
Description​
Most systems allow their users to modify relevant information, such as access credentials and contact data. Users should be notified whenever any of these or other security settings are modified, as it could be a part of several types of attacks, e.g., account takeover attacks.
Supported In​
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🔴 |
| Advanced | 🟢 |
References​
- CWEâ„¢-620. Unverified password change
- NIST 800-53-AC-2_4. Automated audit actions
- OWASP TOP 10-A7. Identification and authentication failures
- BIZEC-APP-APP-06. Direct database modifications
- CCPA-1798_106. Consumer's right to correct inaccurate personal information
- CCPA-1798_121. Consumer's right to limit use and disclosure of sensitive personal information
- FCRA-604-E_5. Notification system
- PDPA-6A_26B. Notifiable data breaches
- PDPA-6A_26D. Duty to notify occurrence of notifiable data breach
- CMMC-AC_L2-3_1_9. Privacy & security notices
- CMMC-AU_L2-3_3_4. Audit failure alerting
- CMMC-CM_L2-3_4_3. System change management
- HITRUST CSF-13_n. Participation and redress
- FedRAMP-SI-5. Security alerts, advisories, and directives
- LGPD-9_VII-2. Requirements for the Processing of Personal Data
- ISA/IEC 62443-IAC-1_12. System use notification
- OWASP SCP-3. Authentication and password management
- BSAFSS-VN_3-2. Vulnerability notification and patching (updates are accompanied by advisory messages)
- OWASP ASVS-2_5_5. Credential recovery
- C2M2-8_3_e. Assign cybersecurity responsibilities
- SIG Lite-SL_65. s there a process to ensure clients are notified prior to changes being made which may impact their service?
- SIG Lite-SL_90. Are change control procedures required for all changes to the production environment?
- SIG Core-G_2_10_2. Operations management
- FISMA-AC-2_4. Automated audit actions
Vulnerabilities​
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.